Jouni,

Thanks for the reply. I just tried to browse to an internal webserver and that worked. Why would ICMP packets not be returning back through the FW? I am pinging an internal fileserver.

Also, what do I need to do to allow http/https traffic through the VPN tunnel? I would prefer not to use a split tunnel.

Hi,

The default setting on an ASA firewall is that all traffic from behind a VPN connection is allowed to bypass interface ACL of the interface to which the VPN Connection is formed to.

You can check this setting by issuing

show run all sysopt

You should see

sysopt connection permit-vpn

If its set to its default. The format with "no" in front would mean that all traffic would need to be allowed in the interface ACL.

So if you are using Full Tunnel mode VPN Client at the moment and the above setting is at its default then ASA should not be blocking the connections and connections like http/https should work just fine.

Also the ICMP should not be blocked by the ASA. You can always check that you have ICMP Inspection enabled but I am not sure if it applies to this situation

policy-map global_policy

class inspection_default

  inspect icmp

  inspect icmp error

I would check for the possibility that the hosts/server are set to block ICMP but are allowed to send ICMP and receive reply to those.

- Jouni

OK - Thanks Jouni. I ran the show run all sysopt and got these results:

show run all sysopt

no sysopt connection timewait

sysopt connection tcpmss 1380

sysopt connection tcpmss minimum 0

sysopt connection permit-vpn

sysopt connection reclassify-vpn

no sysopt connection preserve-vpn-flows

no sysopt nodnsalias inbound

no sysopt nodnsalias outbound

no sysopt radius ignore-secret

no sysopt noproxyarp inside

no sysopt noproxyarp outside

no sysopt noproxyarp dmz

As far as I can read it HTTP/HTTPS traffic should not be blocked. Is that correct?

Hi,

As far as I know all UDP/TCP/ICMP traffic should be allowed from the Client to the hosts/servers.

Naturally this is only considering what I have seen so far.

If you have been able to connect through the VPN to some internal Web server then it would seem to suggest the connectivity between VPN Client and internal network should be fine.

Naturally if something doesnt work it could be troubleshooted with the help of logging, packet-tracer and capturing packets on the ASA itself or on the hosts.

- Jouni

So I am still not able to access the internet from an AnyConnect VPN client with IP address 10.0.7.5 on the /24 subnet. I can access internal services. When I do the packet trace I get an access list error:

Interface: Outside

Source IP Address: 10.0.7.5

Destination IP Address: 74.125.228.39 (Google)

Source Port: Tried Multiple including 32000

Destination Port: http

Route Lookup: Check

Access-List: Action Drop - Rule on Outside interface Any/Any IP Deny

I tried adding an access rule on the outside interface to allow all 10.0.7.0/24 traffic access out and in.

Any thoughts?

Jouni - Thanks for all of your help. Everything is working now